Thursday, 11 October 2007

What's more insecure, the iPhone or Apple?

It's been interesting to watch the reactions to Apple's crackdown on people who hack their iPhones.

If you've been living in a cave or otherwise off the net, I should explain that Apple's latest software update for the iPhone tends to disable phones that have been hacked to undo the SIM lock (enabling them to make calls on other networks) or to install third party applications. In some cases, Apple has refused to repair the software in these "bricked" phones, forcing the user to buy a new one.

I've read contradictory reports on what level of hacking causes the iPhone to be disabled. Some reports say the update disables the phone only if the SIM lock has been broken. In phones with an intact SIM lock but third party applications, word is that the update "merely" erases the apps without disabling the phone. But the fear among iPhone users is that doing anything unauthorized with the phone, even installing an app, can cause it to be disabled. Apple appears to be feeding this fear deliberately.

This has stopped (at least temporarily) the rapid growth of third party applications that developers and enthusiasts had started creating for the iPhone. Although Apple doesn't endorse or encourage the creation of native apps for the iPhone, developers had quickly found ways to access the modified version of Mac OS X inside the iPhone, and were busily producing a series of interesting and cute add-ons.

I was astounded by the speed at which iPhone applications were appearing. Usually it takes about six months to get developers cranked up on a new device, and that's when things are going well. Just three months after the first shipment of the iPhone, there were already a lot of interesting apps appearing, and David Pogue at the New York Times had even created a video celebrating them (link).

Most technology companies would kill to have that publicity and a bunch of third parties creating new software for their products. Web 2.0 companies are all adding application interfaces so they can get developers, companies like Adobe, Microsoft, and Google are competing aggressively to create APIs for web development, and even Apple invests heavily in encouraging developers to create software for the Mac.

The assault on hacked iPhones has provoked a nasty reaction online, starting among enthusiasts (check out the video here) and now spreading to the mainstream press. The latest example, pointed out to me by Chris Dunphy (an angry iPhone user), is from BusinessWeek (link):

"Wasn't Apple itself the creation of two guys in garage with a knack for making interesting ideas into real things? So why punish the people who try to create something interesting, threatening them with the prospect of an inoperative phone?....The company that styles itself as the technology supplier of choice for creative people with great ideas is insisting that to own its products is to accept a defined orthodoxy where there's only one acceptable way to do things. That doesn't sound like the Apple I know. So I'm not going to buy an iPhone. And until Apple commits to changing this ridiculous policy, I don't think you should either."

I can't remember the last time someone at BusinessWeek actively campaigned against a product of any sort.

Why would Apple expose itself to so much criticism?

The weirdest thing about this whole saga is that it's not at all clear why Apple is putting itself through it. I've been asking myself that a lot, and want to share some thoughts.

The first thing I think we have to do is separate the SIM lock issue from the applications issue. They are two very different business and technical issues, and Apple may have completely different motivations for pursuing them.

Why defend the SIM lock? Many mobile phones, especially in the US, are locked for use on a particular network. All CDMA phones outside of China are like this (because there is no SIM card), and many GSM phones in the US are as well. The excuse for this is usually that the operator paid a subsidy for the phone hardware, and needs to recover the subsidy through service charges. But the operators also achieve this recovery through big cancellation fees if you switch operators before the contract is up, so the industry has not traditionally worked very hard to defend the SIM lock. Unlock codes for many phones are available online, and many operators will reportedly unlock your phone if you call them and say that you're traveling overseas.

Apple is the first phone hardware vendor that I've seen aggressively defend the SIM lock, and I'm not sure why. The most common explanation on the Web is that Apple's getting a revenue share on the monthly billings from iPhone users, so it actually loses a lot of money when any iPhone moves to another network. There is also speculation that if iPhones can be moved into countries where they are not available, Apple will have trouble extracting lots of money from local operators who sign up to carry the phone.

The latter explanation doesn't hold a lot of water for me -- most people want their phone to work in their native language, so an English-language version of the iPhone is not going to destroy the market for a legitimate iPhone in France. Also, iPhones moved onto unauthorized networks lose some of their cool features, such as the visual voicemail function. If Apple were selling iPhones in some countries for $99 and in others for $699, I would see more of a gray market threat, but the price gaps are not nearly that large. Combine the language issue, loss of features, and low opportunity for price arbitrage, and I don't think there is enough motivation for Apple to subject itself to the abuse it's taking.

But the revenue opportunity is a different thing. If Apple got, say, 20% of the mobile billings for an authorized iPhone, that would probably be about $120 a year from an average user -- in pure profit. That's going to be similar to the total margins Apple makes on the actual iPhone, and they get the billings every year. I have no idea if Apple's actually getting 20%, but that sort of number has been rumored for some of the European iPhone deals. Even if Apple's cut is only $10%, the revenue share would be a huge part of Apple's total profit on the iPhone, and something they would be willing to defend vigorously, even if it pisses people off.

Why kill third party applications? This one is harder to understand, because I don't understand what Apple gains from it. Having applications for the iPhone makes it more popular, and also sucks up developer activity that could go to competing products. My first reaction when I heard that Apple wouldn't allow applications on the iPhone was that it was a control issue for Steve Jobs - he watched the base of cool Mac developers get sucked away by Windows, and never wants to be vulnerable to a third party again (link).

There are a lot of commentators online who assume the control freak attitude is driving Apple's behavior on the iPhone. Others speculate that Apple is planning to offer a third party applications store, in which it will take a large revenue cut for third party applications that have been approved by Apple. I have no idea what the cut would be, so it's hard to say how much it's worth to Apple. But I think if it were a big part of their plans, they would have made that store available on the first version of the device. So although I believe they might create such a store (it's an obvious thing to do), I don't think that is the whole explanation. It's hard for me to see them bringing this level of criticism on themselves just to defend that hypothetical store.

Instead, I'm starting to suspect that they have a deeper motivation that they don't want to discuss in public because even acknowledging it could damage iPhone sales. It's better to take criticism from people who think you're evil than to admit that your device has a serious flaw, and I think maybe the security structure of the iPhone is a serious flaw.

When the iPhone was announced, Steve Jobs said it didn't allow third party apps because they could bring down the phone network. I thought that was stupid bluster at the time, because on most smartphones it's very difficult to do anything really nasty to the network. The applications and the phone run on separate processors, and given the limitations of the smartphone operating systems, it's very difficult to do anything really heinous to the network.

But the iPhone has a much more powerful OS in it, a derivative of Unix. The reports posted online by hackers who have played with the innards of the iPhone are very disturbing (link). Here's a great example:

EDGE network access is horribly slow, but it works....I made a few attempts to discover other hosts in the private address space, in hopes of finding other EDGE devices, but instead only found a few scattered routers, switches, and servers.

So the hacker was looking to hack other phones via AT&T's Edge network, and was not able to do so. That's a good thing from the perspective of the average user. But you have to wonder what those "scattered routers, switches, and servers" are. I doubt AT&T deploys switches and servers on its network just for laughs, so who knows how important they are to the functioning of the network, or how secure they are. I'm sure they were not set up with the expectation that hackers would be tickling them from an iPhone.

If you know the technical details of Edge and have any thoughts on this, please post a comment. Maybe I'm overstating the risk here. My personal reaction was that if I worked at an operator and read the quote above, my hair would stand on end (if I still had any).

Here's another interesting quote:

Every process runs as root. MobileSafari, MobileMail, even the Calculator, all run with full root privileges. Any security flaw in any iPhone application can lead to a complete system compromise. A rootkit takes on a whole new meaning when the attacker has access to the camera, microphone, contact list, and phone hardware. Couple this with "always-on" internet access over EDGE and you have a perfect spying device.

Well, that's pretty straightforward. There are already third party applications that turn a smart phone into a spying device, but you need physical access to that particular device in order to install them. The difference with the iPhone, according to this report, is that once you find a security hole you could install that sort of spyware remotely, via the wireless connection.

That led to a Computerworld article which says basically that viruses and other malware could spread from one iPhone directly to another without the user ever being aware of it (link). I'm not too alarmed by that just yet, because there isn't a critical mass of iPhones in any one geographic location to infect each other. But it could be interesting the next time there's a big gathering of iPhone users. Macworld, anyone?

To me the more troubling part of the report was the root privileges thing. I'm not a Unix expert, so I talked to someone who is. He confirmed that applications with root privileges in Unix can do just about anything. Unix is designed to empower programmers, and the assumption is that someone with root access knows what they are doing and can be trusted. (You can read some similar commentary in a eWeek column here).

There are ways to prevent third party applications from having root access, but the disturbing possibility (and I'm speculating here) is that Apple may have stripped out those protections in order to reduce the memory requirements of the iPhone and make it run faster. If that's the case, my friend said, it may be a pretty involved project for Apple to add those protections back in. Not at all impossible, but requiring a lot of work and time.

Through my years in the industry, I've done a lot of research on technology users. One of the things I've learned is that security problems are a great way to scare people away from a new technology device. If it even sounds insecure, a lot of people will stay away from it. Based on what I'm seeing online, there is a lot of evidence that the iPhone as currently structured is a genuinely insecure device once any uncontrolled third party applications get onto it. What's more, keeping third party apps off your own iPhone does not necessarily protect you, because malicious software could propagate from device to device.

If I were working at Apple, and this were the situation, what would I do? Well, first I would not want to acknowledge the vulnerability, because that itself would scare away customers. Second, I would do everything in my power to shut down all third party native application development. Squash it, kill it completely. And I'd be willing to take a lot of criticism for doing so because the alternative, acknowledging the security problem, would produce even more bad PR.

Let me be very clear here: I'm not saying that I know this is what's going on at Apple; I don't. And I'm not trying to start any nasty rumors (they are already out there). I should also point out that some reports on iPhone security have been a lot less alarmist (for example, here is Symantec's take from early July). But that was before the latest reports surfaced.

I think we need to ask whether Apple botched the security of the iPhone in the belief that people wouldn't try to add apps to it. They could easily have made that assumption; there have been comparatively few efforts to add apps to the iPod, after all. But the publicity for the iPhone, and Apple's bragging that OS X was in it, made it an irresistible target for hacking.

If Apple really does have a security problem in the iPhone, I don't think they will be able to keep it quiet. Experience shows that the best approach in this sort of situation is to come clean about the problem, take your lumps, and fix it as soon as you can. That way you at least retain your reputation for honesty. If the iPhone really is vulnerable, Apple risks ending up with the worst of all possible worlds -- it'll damage its reputation for honesty, piss off a lot of technophiles, and people will still hear that the iPhone is insecure.

It will be interesting to see how Apple handles this issue in the weeks to come.

=====

Thanks to John Hering at Flexilis for pointing me to the Computerworld story.